Search This Blog

Monday, July 1, 2013

Major security flaws found in integral part of Israel's biometric ID system

Israel is expected to roll out its new biometric database
and smart ID cards in the coming weeks, but a critical component of that plan
suffers from faulty security, Justice Ministry documents that were leaked by
mistake Sunday and published online reveal.

The documents, first made public on a Channel 10 program
about the Internet, expose email
correspondence and information about security checks for part of the biometric
project meant to authenticate electronic ID cards.

As part of the project, a national certificate authority
will issue electronic ID cards and verify their security. The government says
the project is part of a larger initiative that would improve its connection
with the people.

The biometric database would ultimately be managed by the
Population and Immigration Authority.

The leaked documents reveal a number of shortcomings.

The
Justice Ministry's Israeli Law, Information and Technology Authority – which
helps with personal data protection – was able to breach part of the biometric
system’s security, as was information security firm Comsec.

Comsec revealed that the certificate authority aspect is not
protected by antivirus software, does not have warning systems and does not
keep a log of firewall incidents. In addition, requests for new IDs from the
Interior Ministry to the certificate authority are transferred via an insecure
system.

One of the leaked documents is a letter from attorney Rivka
Dvash, acting head of the Israeli Law, Information and Technology Authority –
ILITA. Dvash writes that Yogev Shamni, the chief information officer at the
Population and Immigration Authority, told her the system has been checked and
is reasonably secure, but that ILITA was barred from seeing the data.

Dvash added that taking into consideration the partial
information ILITA has received, in addition to an opinion from an ILITA
security consultant, she cannot be sure the system is ready to withstand
security violations.

Meanwhile, Doron Ofek, a data security specialist, told that it is not the biometric data that is at risk, but the so-called
digital certificate that citizens use for identification when seeking
government services. "Problems in securing this network create security
problems in the entire network of biometric certificate registration," he
said.

For its part, the Justice Ministry said the deficiencies
ILITA points out are being discussed with the relevant parties. It said this
discussion is in its early stages and that the leaked documents include initial
and raw data. It said the new system will be tested according to the strictest
standards during its pilot stage.

The ministry added that a document was accidentally emailed
to a larger distribution group than intended. Director General Guy Rotkopf has
instructed the ministry’s security officer to look into the incident.

The Population and Immigration Authority said ILITA is one
of the agencies it must consult on the matter, but that other
information-security experts are also being consulted. It noted that the ILITA
document does not relate to the biometric data found in the biometric ID card
but rather to electronic verification data used for identification purposes on
the e-government portal.